Info@NationalCyberSecurity
Info@NationalCyberSecurity

SuperMailer Exploitation Shows Need for Dynamic Cybersecurity | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware



Cofense’s recent phishing research demonstrates the impressive skill of threat actors in discovering various methods for launching attacks.

The month of May saw an increase in the number of malicious emails sent, owing to high-volume SuperMailer campaigns, the email security vendor found. SuperMailer, which is legitimate mailing software, saw an 87% increase in usage during the second quarter.

Threat actors abusing legitimate tools is nothing new. However … abusing SuperMailer was unexpected and seems to have caught many secure email gateways [SEGs] by surprise,” noted Max Gannon, senior cyber threat intelligence analyst at Cofense.

While SuperMailer-generated campaigns follow easily detectable patterns in most of their emails, many SEGs are still unable to block the emails effectively. “While automated systems like SEGs are great and can stop a lot of things, they still have easy-to-exploit blind spots,” Gannon said. “Now that the threat actors know this is effective, they will likely use other legitimate software with similar capabilities once SEGs adapt to the SuperMailer campaigns.” 

This reinforces the need for human invention in email security, both at the individual email level and in the management of SEGs, he added. 

The prominent malware families for most threats included Agent Tesla, Formco, and NetSupport RAT. Agent Tesla showed consistently high levels of activity volume throughout Q2. 

Shifting Tactics

According to the Cofense study, there was an uptick in the use of JS.Dropper and PowerShell as malware delivery mechanisms during the second quarter. JS.Dropper rose sharply by 240% in Q2. Additionally, the threat actors behind Qakbot employed various delivery mechanisms: They used PDF attachments leading to Windows Script Files in April, then favored JS.Dropper attachments in May. 

Cofense’s research also identified the primary individual and top-level domains used to deliver phishing emails. In Q2, the top three were myqcloud.com, adobe.com, and sharepoint.combing.com.

Myqcloud.com has been easily exploited in part because it is a new platform. When new platforms such as myqcloud.com come into play, they often do not have the same experience with abuse mitigation that services such as Microsoft do,” Gannon said.

Moreover, myqcloud.com shares a similar status as trusted content delivery domains. As such, threat actors find these domains attractive and easy targets. “In particular, many of these new platforms do not have suitable methods of safely handling redirects, so their websites can easily be exploited to redirect to malicious web pages,” Gannon noted.

In Q2, successful phishing scams were typically designed for specific organizations and users. Scams included email body drafts that featured the recipients’ names and email addresses. The success of these tailored campaigns suggests that future campaigns may adopt a similar personalized approach, perhaps on a larger scale. 

What IT Pros Can Do To Protect Organizations

As with all security threats, it’s crucial to establish both a culture of informed users and an organization-wide process for reporting threats. Realistic phishing simulations can help to familiarize employees with common tactics that bad actors use. In addition to fostering a culture that promotes reporting without shame, IT professionals should diligently document and categorize the different threats that their organization could encounter. 

Different threats require different responses, so IT professionals must respond with the most effective and targeted approach. It’s important to track credential phishing campaigns and malware delivery campaigns separately,” Gannon advised. “Malware and credential phishing campaigns often have very different targets and have very different ways of delivering their payload.”

Gannon further stressed keeping track of threats to your organization. “An employee having their Facebook account compromised and an employee having a loader malware installed on their computer that could deliver ransomware to the entire organization require very different responses,” he said.

——————————————————-


Click Here For The Original Source.

National Cyber Security

FREE
VIEW